Refresh Token are long-lived. This means when a OAuth Client gets a Refresh Token from an Authorization Server, the Refresh Token must be stored securely to keep it from being used by potential attackers. If a Refresh Token is leaked, it could be used to obtain new Access Tokens (and access protected resources) until it is either blacklisted or it expires (which may take a long time).

Refresh Token must be issued to a single authenticated OAuth Client to prevent use of leaked tokens by other parties.